nist-pec meeting, december 2011: security and privacy for ... · utility cloud • certified •...
TRANSCRIPT
![Page 1: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/1.jpg)
Security and Privacy
for 21st Century Metrology
George Danezis (MSR)
Alfredo Rial (KU Leuven)
Markulf Kohlweiss (MSR),
Klaus Kursawe (Nijmegen),
Cedric Fournet (MSR),
Andy Gordon (MSR),
Misha Aizatulin (OU),
Francois Dupressoir (OU)
and MS XCG
NIST PEC Workshop
December 8-9, 2011
![Page 2: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/2.jpg)
Modern metrology
• What is metrology?
• Legal metrology & security (& NIST)
• Liberalization impact
• Digital networked meters
• Digital security & privacy
![Page 3: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/3.jpg)
Example: smart electricity meter
Measures power consumption
Over every 15-30 minutes (KW/h)
Stores readings for
up to 13 months.
Registers for input /
output (micro generation)
and multiple channels
Wide area network
Communications for
control and readings
Pre-payment
Tamper resistance
Remote disconnection
Utility
• Real time aggregates
• Billing
• Forecasting
• Fraud detection
![Page 4: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/4.jpg)
Metering Security or privacy today
Meter
(Electricity, time)
(Gas, time)
User
Utility
Provider
Policy
Dynamic rates per ½ hour
Fixed plan of rates
(Non-linear rates -- taxation)
Electricity readings per ½ hour
Payment
Bill Display
Transport security
Certification &
Tamper evidence
(Signatures?)
Chain of
evidence gap Exposed readings
Verification?
User control? Access to
data?
![Page 5: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/5.jpg)
Desirable security properties
• End-to-end integrity and authenticity
• End-user privacy /
information self-determination
• Versatility & public policy objectives
• Robust security engineering
![Page 6: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/6.jpg)
Integrity & Authenticity
• End-to-end property: – Establish the authenticity & integrity of a reading throughout the life
time of the reading.
– “Valid reading from specific certified metrology unit”
• Universal / public verifiability: – No need for secrets to verify readings => all parties can verify them.
• Stronger: integrity of computations. – Interaction with privacy = not trivial.
– Software independence = no chain of custody / can use untrusted hardware.
![Page 7: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/7.jpg)
Privacy & self-determination
• Some readings are personal data (DP!)
• Confidentiality / Privacy
– Gold standard: only data subject has access to raw readings.
– Data minimization: e.g. private aggregation.
– But: others should still be able to compute on them.
• Informational self-determination:
– Subject can use readings further with 3rd parties.
– Audit computations performed on personal data.
– Use any device / OS.
![Page 8: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/8.jpg)
Public policy
• Meters as part of platform
– Need for versatility, extensibility, choice.
– Lifetime: open to future technologies.
• Support competition:
– No lock-in for any party.
– High-quality readings for all.
– Ability to use any user device.
• Support secondary uses.
– Aggregation: with privacy.
• Need for standardization!
![Page 9: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/9.jpg)
Robust security engineering
• Minimal Trusted Computing Base
– Minimal trusted hardware
– Ideally: just the certified metrology unit.
– Amenable to formal verification.
• Trusted third parties
– Ideally: no TTP
– 4C: Cost, Collusion, Corruption, Compromise.
Standardization!
![Page 10: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/10.jpg)
Security & Privacy technologies for metrology
• Special signature scheme
– Allows for end-to-end integrity & authenticity + privacy
friendly computations.
• Special encryption scheme
– Allow for aggregation from ciphertexts to get statistics.
• Standard zero-knowledge techniques
– Perform computations on user machines while
preserving privacy and integrity.
Hint: Sign Pedersen
commitments of readings.
Hint: Blind readings with shares
from other meters.
![Page 11: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/11.jpg)
Illustration in a smart meter setting (A) Certified readings & policy (B) Proof of bill & verification
Meter
(Electricity, time)
User Device
Utility
Provider
Signed & encrypted readings
Certified Policy
Dynamic rates per ½ hour
(Non-linear rates -- taxation)
Certified Bill
& Zero-knowledge
Proof of correctness
Signed & encrypted electricity
readings per ½ hour
Shared
key K
Can verify correctness of computation
without access to secret readings!
Privacy: readings
Do not leave the
user device
Extract aggregates
(Sums, averages, variances)
Privacy: Cannot get back to individual
readings.
Define aggregation groups & request readings
![Page 12: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/12.jpg)
Two flavours of computations
• Fast linear computations (Billing protocol):
– Special case: policy is public, and selection of rate independent
of reading.
– Very fast: process 3 weeks of all UK data in 12 days on 1 CPU.
• Generic computations protocol:
– Supports any tariff policy that can be expressed as table look-
ups and polynomial splines.
– In theory supports any computation (some faster than others)
• Technical report & other resources: – http://research.microsoft.com/en-us/projects/privacy_in_metering/
![Page 13: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/13.jpg)
General computations?
• Fast protocol:
– Linear algebra:
• General zero-knowledge proofs:
– Multiplication
– Lookup:
– Range:
– Polynomial:
– Any circuit (decompose into gates)
Result = i xi ri
Result = xi ri
Result = Table[ ri ] Result = Table[ min< ri < max]
Result = a ri 3+ b ri
![Page 14: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/14.jpg)
Really any function!
• Ranges +
polynomials
= splines
= any function
• “*” or Table[]
= NAND gate
= any circuit
![Page 15: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/15.jpg)
Privacy friendly aggregation
• Aim:
compute sum without
revealing readings.
• 2 Phases:
– Distribute keys
– Compute readings
RA RB RC
![Page 16: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/16.jpg)
Privacy friendly aggregation
• Aim:
compute sum without
revealing readings.
• 2 Phases:
– Distribute keys
– Compute readings
RA RB RC
PKA PKB PKC
PKA, PKB, PKC
Group
management
server
PKA, PKB, PKC PKA, PKB, PKC PKA, PKB, PKC
KAB KAC KBC KAB KAC KBC
PKB = gxb
KAB = H(gxa xb | time)
![Page 17: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/17.jpg)
Privacy friendly aggregation
• Aim:
compute sum without
revealing readings.
• 2 Phases:
– Distribute keys
– Compute readings
RA RB RC
KAB KAC KBC KAB KAC KBC
CA = RA
+ KAB + KAC
CB = RB
- KAB + KBC
CC = RC
- KAC - KBC
Group
management
server
Sum = CA + CB + CC = RA + RB + RC
![Page 18: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/18.jpg)
Deployment?
We have augmented
real-world smart meters
to support privacy-friendly
computations and aggregation.
How to deploy?
What is the eco-system?
What is the bigger picture?
![Page 19: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/19.jpg)
Deployment: HAG
Metrology
unit
Home Access
Gateway (HAG) Supplier
• Certified
• Sign + Encrypt
readings
• Untrusted HW / SW
• Perform computation
• Audit
• Get aggregates
• Verify computation
Description
of computation
![Page 20: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/20.jpg)
Deployment: Cloud + Browser
Metrology
unit
User Browser
Supplier
Utility Cloud
• Certified
• Sign + Encrypt
readings
• Get aggregates
Check + download
Encrypted readings
• Untrusted browser (js)
• Perform computation
• Verify computation
![Page 21: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/21.jpg)
Deployment: Cloud + Smart Phone
Metrology
unit
Phone App
Supplier
Utility Cloud
• Certified
• Sign + Encrypt
readings
• Get aggregates
Push readings
• Untrusted Phone App
• Perform computation
• Verify computation
![Page 22: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/22.jpg)
Deployment: (Cloud | LAN) + PC
Metrology
unit
PC
Supplier
Utility Cloud
• Certified
• Sign + Encrypt
readings
• Get aggregates
Push / Pull
readings
• Untrusted PC / Laptop
• Perform computation
• Audit
• Store other uses
• Verify computation
3rd Party service • Verify computation
or
![Page 23: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/23.jpg)
Deployment: Cloud + Cloud
Metrology
unit
PC / snail mail
Supplier
Utility Cloud
• Certified
• Sign + Encrypt
readings
• Get aggregates
Push / Pull
readings
• Delegation
• Perform computation
• Audit
• Store for other uses
• Verify computation 3rd Party service (user trusts with readings)
Authorize!
My grandmother has no smart phone!
Or granddaughter
![Page 24: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/24.jpg)
Key message:
A simple metrology unit enables
secure & private uses of readings
What cost?
• Tamper resistant metrology unit
• Key generation (once)
• Pseudo-random functions (negligible)
• Generation of a commitment per reading
(2 exp)
• Batch signature of commitments. (2 exp)
• Encryption of readings (aggregation)
• No communication overhead!
• Easy to formally verify!
Enables …
• End-to-end integrity + authenticity
• Privacy friendly computations
• Privacy-friendly aggregation
• Software independent integrity
• Choice of devices
• Auditability
• Generic & future proof
• …
Leave options open!
![Page 25: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/25.jpg)
Conclusion
• Metering can be done without violating
privacy + with very high integrity
• Paradigm shift: Trustworthy computations in
the client domain for privacy.
![Page 26: NIST-PEC Meeting, December 2011: Security and Privacy for ... · Utility Cloud • Certified • Sign + Encrypt readings • Get aggregates Push / Pull readings • Delegation •](https://reader034.vdocuments.us/reader034/viewer/2022042411/5f298cca414f3451e03aacd7/html5/thumbnails/26.jpg)
Resources
• Alfredo Rial & George Danezis. Privacy-friendly smart metering. Microsoft Research
Technical Report MSR-TR-2010-150. November 19, 2010.
• George Danezis, Markulf Kohlweiss, and Alfredo Rial. Differentially Private Billing with
Rebates. Microsoft Research Technical Report MSR-TR-2011-10. February 2011.
• Klaus Kursawe, Markulf Kohlweiss, George Danezis. Privacy-friendly Aggregation for
the Smart-grid. Microsoft Research Tech Report, March 2011.
• Nikhil Swamy, Juan Chen, Cedric Fournet, Karthikeyan Bharagavan, and Jean Yang.
Security Programming with Refinement Types and Mobile Proofs. Microsoft Research
Technical Report MSR-TR-2010-149. November 2010.
Technical report & other resources: http://research.microsoft.com/en-us/projects/privacy_in_metering/